FCA Final Notice: AML systems and controls and Principle 11

This article highlights the importance of actively managing the risk of financial crime by fostering a culture of regulatory compliance and some key lessons from the Final Notice.

Key issues from the Final Notice issued by the Financial Conduct Authority (FCA) to Sonali Bank (UK) Limited on 12 October 2016

The fight against financial crime continues to be a top priority for the FCA and they continue to focus on the importance of systems and controls within regulated firms to detect and prevent financial crime. On 12 October 2016 the FCA issued Final Notices to Sonali Bank (UK) Limited (SBUK) (the Final Notice) and Steven Smith, its Money Laundering Officer (MLRO) and Compliance Officer. The FCA imposed a financial penalty of £3,250,600 and restricted SBUK from accepting deposits from new customers for a period of 168 days. The FCA also imposed a limited prohibition and financial penalty of £17,900 on Mr Smith and prohibited him from performing the compliance and money laundering officer roles (SMF16, SMF17, CF10 and CF11).

This note highlights the importance of actively managing the risk of financial crime by fostering a culture of regulatory compliance and some key lessons from the Final Notice. The FCA expects firms to have in place effective, proportionate and risk-based systems and controls to ensure that the risk of their business being used for financial crime is minimised.

SBUK Final Notice

SBUK is the UK subsidiary of a Bangladeshi bank, Sonali Bank Limited, which operates six UK branches offering personal and corporate banking services, money remittance services and trade finance services. During 2014, SBUK had 2,457 live customer accounts and 85,625 registered remitters. Its business turnover was £10,113,368 in 2014.

The FCA found that SBUK failed to ensure that it had adequate systems and controls in place effectively to manage the risk of financial crime within its business.

The FCA found that, between 20 August 2010 and 21 July 2014, SBUK breached Principle 3 of the Principles for Businesses (systems and controls) due to cultural and systemic failings which were pervasive across “almost all levels of [SBUK’s] business and governance structure”, including the MLRO function. The specific failings identified included:

  • lack of culture of compliance - failure to ensure that the importance of AML compliance was embedded throughout the business, despite receiving both internal and external warnings of a culture of non-compliance
  • inadequate oversight of MLRO function - the function was under-resourced and failed to identify systemic weaknesses in its own AML processes
  • inadequate AML policy - the policy failed to provide practical and meaningful guidance to staff, and
  • poor Customer Due Diligence (CDD), Enhanced Due Diligence (EDD) and ongoing monitoring - particularly when establishing a business relationship in higher risk situations including failing to identify Politically Exposed Persons (PEPs) and to identify and report suspicious activities.

In addition, whilst SBUK was under investigation the FCA identified that between 27 March and 15 May 2015 SBUK had failed to notify the FCA in a timely manner of a suspected employee fraud against a customer in breach of Principle 11 (cooperation with the regulator)

Individual accountability

The FCA concluded that Mr Smith, as MLRO and Compliance Officer at SBUK, was knowingly concerned in the Principle 3 breach by SBUK. The FCA found that Mr Smith demonstrated a serious lack of competence and capability and was therefore not a fit and proper person to perform senior management compliance and anti-money laundering roles (SMF16, SMF17, CF10 and CF11).

The FCA identified that Mr Smith failed to:

  • alert the SBUK board as to adverse effects of a lack of resourcing within the MLRO function
  • react to warnings from the FCA and Internal Audit as to weaknesses in the SBUK’s compliance and AML processes and rejected the recommendations of Internal Audit
  • identify the serious lack of knowledge and understanding of AML issues amongst branch staff and ensure that there was an effective process to undertake an ongoing assessment of AML risks posed by individual customers, and
  • ensure that there was an effective system for identifying PEPs and conducting adequate EDD of PEPs.

Seriousness

SBUK’s failings were considered to be particularly serious by the FCA for a number of reasons:

  • Systemic weaknesses across the entire business - weaknesses were identified in the AML procedures, management systems and internal controls across all of SBUK’s business.
  • Significant risk that financial crime would occur - SBUK’s business model, including international transfer of funds and non-face-to-face business in Bangladesh (an AML higher risk jurisdiction) posed a heightened risk of financial crime.
  • Awareness of risk - SBUK had access to considerable public guidance on how to comply with its regulatory requirements. In 2010 the FSA notified SBUK of concerns about the serious weaknesses in its AML systems and controls and despite a remediation plan being agreed, the effectiveness of these measures were not monitored or assessed by SBUK. Internal Audit also issued clear warnings and stated that, in respect of AML issues, SBUK had a “cultural mind-set which needed to change”. The FCA revisited the firm in 2014 and appointed a skilled person pursuant to section 166 of FSMA.

However the FCA acknowledged in the Final Notice that SBUK has now invested in improving its AML systems and controls by appointing an independent non-executive director who has specific AML skills, engaging an external consultant to assist in a detailed review of its AML systems and controls, updating its employee guidance and policies and enhancing its risk assessment and onboarding procedures for retail customers, PEPs and any high risk accounts. In addition SBUK has provided AML refresher training for its branch staff and retained an external contractor to conduct a past business review of its client on-boarding files.

Key messages

Culture of compliance

Firms are expected to be able to demonstrate a culture that supports effective regulation and senior management are key to delivering cultural change. The FCA expects good culture to be embedded at all levels of the business in order to enable the effective identification and prevention of financial crime. A board should take reasonable steps to consider, assess, document and mitigate the risks (including AML) posed by its business model

The failure to learn lessons

This is a recurring theme across recent FCA final notices. The FCA takes serious steps to sanction firms where the FCA has previously intervened in respect of identified risks, and expects that firms will take these issues seriously and take adequate steps to remedy any concerns. Any remediation work undertaken needs to be properly implemented and monitored to ensure its effectiveness.

The importance of regulatory notifications

SUP 15.3.17 requires a firm, which becomes aware of employee fraud against a customer which is significant, immediately to notify the FCA. In this case SBUK identified an employee fraud of £23,000 but did not notify the FCA for seven weeks (in the context of an ongoing FCA investigation which focussed on AML and financial crime systems and controls). 

Effect on competition

It is clear that the FCA is concerned that firms which do not invest in implementing robust and effective AML systems and controls may be perceived as having an “unfair competitive advantage” over compliant firms. This could manifest itself in lower compliance costs or looking more attractive to customers who wish to avoid CDD and EDD.

Business restriction

It is notable that the FCA has chosen to utilise its power also to impose a business restriction on SBUK, as a punitive measure in addition to a financial penalty. The FCA can choose to impose a restriction where it believes that such action will be a more effective and persuasive deterrent than the imposition of a financial penalty alone (DEPP 6A.2.3G). The FCA imposed a significant financial penalty (a third of the firm’s 2014 turnover) in addition to a 168 day business restriction (to prevent SBUK from accepting new depositors).

This is only the fourth time that the FCA has utilised this power and the restriction imposed on SBUK is by some margin the longest ever imposed (previously 126 and 72 days). It is also arguably the widest in scope, covering all new deposit-taking business, so that SBUK’s current customers are not adversely affected.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.